Skip main navigation
Close Drawer MenuOpen Drawer Menu
APA Publishing Logo

The American Psychiatric Association (APA) has updated its Privacy Policy and Terms of Use, including with new information specifically addressed to individuals in the European Economic Area. As described in the Privacy Policy and Terms of Use, this website utilizes cookies, including for the purpose of offering an optimal online experience and services tailored to your preferences.

Please read the entire Privacy Policy and Terms of Use. By closing this message, browsing this website, continuing the navigation, or otherwise continuing to use the APA's websites, you confirm that you understand and accept the terms of the Privacy Policy and Terms of Use, including the utilization of cookies.

×
Back to table of contents
Professional NewsFull Access

More Answers About Law Amending HIPAA Rules

Published Online:15 Jan 2010https://doi.org/10.1176/pn.45.2.psychnews_45_2_012

Abstract

The HITECH (Health Information Technology for Economic and Clinical Health) Act is Title 13 of the American Recovery and Reinvestment Act of 2009 (ARRA). While the various subtitles of HITECH cover many topics relevant to physicians (for example, financial incentives for health information technology), this article will address Subtitle D of HITECH amending the privacy and security rules under HIPAA (Health Insurance Portability and Accountability Act of 1996).

HIPAA's privacy and security rules established floors of confidentiality and security protections for patients' demographic and health information in all forms—paper, oral, and electronic. The development of health information technology (for example, electronic health records, personal health records, health information exchanges) has resulted in additional risks; HITECH builds on the privacy and security rules to address these new risks.

•. 

How has HIPAA enforcement increased?

•. 

State attorneys general can bring enforcement action for violations of federal HIPAA regulations.

•. 

Employees and individuals are subject to HIPAA's criminal penalties.

•. 

The Department of Health and Human Services (HHS) must conduct audits of covered entities and business associates.

•. 

HHS must investigate complaints of willful neglect, and if substantiated, HHS must impose a statutory penalty of at least $10,000 to $50,000 per violation.

•. 

HHS and state attorneys general can pursue civil HIPAA violations in cases in which criminal penalty could attach, but the Department of Justice declines to pursue.

•. 

Individuals can recover a percentage of penalties imposed or settlement proceeds from HIPAA investigations based on their complaints.

•. 

What are the penalties for HIPAA violations?

Civil penalties for HIPAA violations have increased for covered entities and business associates to $100 to $50,000 or more per violation, with a cap of $1.5 million per calendar year for multiple identical violations. “Violation” means disclosure of one person's information.

Criminal penalties remain up to $250,000 and 10 years imprisonment.

•. 

What can I do to ensure compliance with the Privacy Rule?

The first step is to understand what the Privacy Rule requires. There are comprehensive educational resources available on the HHS Web site, <www.hhs.gov/ocr/privacy>. Remember that under HIPAA's Privacy Rule, patients have the right to receive a Notice of Privacy Practices; authorize the release of information for purposes other than treatment, payment, or health care operations; request restrictions on disclosures; access the records (with very limited exceptions); request amendment of the record; request an accounting of disclosures (other than for treatment, payment, or health care operations purposes); complain about violations to the provider and to HHS; and have only the minimum necessary information disclosed.

Also under the Privacy Rule, covered providers must designate a privacy officer and contact person/office; implement safeguards (administrative, physical, and technical safeguards) for protected health information (PHI) (oral, paper, and electronic); mitigate damages from unauthorized uses or disclosures of PHI; investigate complaints; prevent retaliation for complaints; impose sanctions for privacy violations; have documented confidentiality policies and procedures; and train employees on confidentiality policies and procedures.

The second step is to understand HHS's Privacy Rule enforcement. While no civil monetary penalties have been imposed to date, HHS has publicized two resolution agreements. In the most recent case from January 2009, the CVS drug-store chain agreed to pay $2.25 million to resolve allegations stemming from media reports that PHI was being disposed of in unsecured dumpsters. The second case, from July 2008, involved a resolution agreement to settle allegations related to loss of electronic backup media and laptop computers with PHI. The health care system involved agreed to pay $100,000. HHS's Web site also contains examples of cases that were investigated, violations that were found, and corrective actions that were ordered.

•. 

What can I do to ensure compliance with the Security Rule?

First, know what the Security Rule requires to protect against reasonably anticipated improper use or disclosure of electronic PHI. The Security Rule has general requirements to

•. 

conduct a risk analysis,

•. 

develop, implement, and maintain appropriate security measures,

•. 

document the security measures in policies and procedures, and

•. 

update risk and security measures.

The Security Rule consists of 18 safeguards (administrative, physical, and technical), and for each of the three types of safeguards, there are standards (what must be done) and implementation specifications (how it must be done).

Second, become familiar with the vast amounts of educational and enforcement information made available by HHS. While its Office for Civil Rights now enforces both the Privacy and Security Rules, its Centers for Medicare and Medicaid Services (CMS) originally enforced the Security Rule and published many enforcement resources including a “Security Guidance,” posted at <www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf>, which addresses portable-device security.

Moreover, CMS issued a list of what would need to be provided by a covered entity in a Security Rule audit—20 different types of policies and procedures and an additional 19 specified documents. CMS also published compliance reviews indicating that the most common security complaints involve unauthorized access to electronic PHI (particularly by employees), loss or theft of devices containing electronic PHI, and insufficient access controls, such as lack of encryption.

•. 

What do I need to know about breach notification?

Covered providers and business associates need to be aware of the requirements under state and federal breach notification laws.

Under HITECH's federal breach notification law:

•. 

When is compliance required? Compliance was required as of September 23, 2009. However, HHS has indicated that it will not enforce the breach notification requirements until February 2010.

•. 

What is a breach? Breach means the unauthorized acquisition, access, use or disclosure of “unsecured” PHI (which includes demographic information) that poses a significant risk of financial, reputational, or other harm to the patient. According to HHS's Breach Notification Guidance, PHI is secured only if it is encrypted or destroyed.

•. 

What is not a breach? HHS regulation on breach notification provides examples of inadvertent, harmless mistakes that would not be considered a breach.

•. 

Who has to be notified? Covered entities must notify each affected individual of breach of unsecured PHI. Notifications must be provided “without unreasonable delay,” but no later than 60 days after breach discovery. If more than 500 people are affected, notice of the breach must be made to the media and to HHS. If fewer than 500 people are affected, notice to HHS can be provided annually.

•. 

What about breaches by business associates? Covered providers will need to ensure that their business-associate agreements reflect the business associate's obligation to notify the covered entity of any breach.

•. 

What do I need to do to ensure compliance? Prior to a breach, physicians should develop processes to prevent and discover breaches, train staff, and ensure ongoing monitoring. Once a breach is discovered or reported:

•. 

Determine if a breach occurred. Has there been an impermissible use or disclosure of unsecured PHI that poses

•. 

significant risk of financial, reputational, or other harm to the patient?

•. 

If so, determine if it is reportable. Does the breach fall under one of the limited exceptions?

•. 

Determine what, if anything, needs to be done to mitigate the harmful effects of the breach (credit monitoring, additional audits, employee sanctions, new safeguards, etc.).

•. 

Provide timely notice to the individual(s) and to HHS.

Under state law:

While there is no uniformity among state laws on breach notification, almost all states have some type of consumer-protection law requiring businesses to notify customers of an inappropriate use or disclosure of their information. Some state laws are reactive—requiring notification of the breach. Other states are reactive and proactive—also requiring specific security standards be met to prevent breach of consumers' data. And at least one state, California, has expanded its breach-notification law to include breach of medical information.

The National Conference of State Legislatures has a resource to find state breach-notification requirements: <www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx>.

•. 

Where can I find more information?

•. 

American Recovery and Reinvestment Act of 2009, <http://fdsys.gpo.gov/fdsys/pkg/BILLS-111hr1ENR/pdf/BILLS-111hr1ENR.pdf>

•. 

HHS Office for Civil Rights (OCR) <www.hhs.gov/ocr/privacy> and regional offices (contact information available on Web site); regional offices are required to provide HIPAA guidance and education to covered providers (along with business associates and patients)

•. 

HHS Centers for Medicare and Medicaid Services (CMS)—Security Rule enforcement, <www.cms.hhs.gov/Enforcement> (note: Security Rule enforcement authority transferred from CMS to OCR, so enforcement information is expected to ultimately be found on OCR's Web site)

•. 

HHS Breach Notification Guidance (4/09) and Breach Notification Regulation (8/09), <www.hhs.gov/ocr/privacy/index.html>

•. 

PRMS's HIPAA Help, <www.psychprogram.com> (Risk management section)

Donna Vanderpool, M.B.A., J.D., is assistant vice president, risk management, at Professional Risk Management Services Inc. (PRMS).